Access Control List (ACL) is a way to control access for user in an application. This page contains Access Control List sample using Java, this article show an ACL demo application in Java web application, that i hope will make better understanding of what Access Control List (ACL) is. You can find resources that will explain what ACL is, but i think demo application is more effective for understanding about ACL.

Download ACL demo application from ziddu and 4shared, it’s a Java web application, furthermore it’s Songs database application. The application is using following technology/library : JSP, Servlet, EL, Hibernate/JPA. For simplicity, i’m using JSP and servlet for presentation layer and controller, and Hibernate for database layer so i dont have to deal with SQL (i hate it :p ). This application is an IntelliJ IDEA project, you need to re-create project if you are using Eclipse or Netbeans, and add the classes/library accordingly. I use Apache Tomcat 6 for application server.

Note: Because Tomcat is actually a Servlet container rather Application Server (e.g Glassfish, Geronimo, JBoss, etc), basically Tomcat dont have Java EE library, while i’m using Hibernate/JPA annotations (for object-table database mapping) which is using Java EE library, you need to place javaee.jar in “<TOMCAT_HOME>/lib” folder before running tomcat, DO NOT put javaee.jar in application lib directory, it’s against Java Servlet specification

You may want to edit “hibernate.cfg.xml” first to match your environtment. I’m using Mysql database for this demo. Before running the application please run “acl.demo.util.SetUpACLDemoData” class, this class will set up the data on database so the application can run. Now run the application server, open the browser and go to http://localhost:8080/ACLDemo, this will open login page.Login page

We can’t see other page if we hasn’t login, I create a SecurityFilter class for this, it’s a Servlet Filter that will intercept all request, checked whether there’s user session in session, if it’s not it will send us to login page.

To login, we can use one of the following account:
– admin/admin (Administrator)
– zidane/password (SuperAdministrator)
– kabayan/kabayan (DataEntry)
– tamara/tamara (Administrator)

The one in the parentheses is the type of a user. Type of a user will determine his/her rights of accessing something (e.g resources, page, module, etc), different user type will have different rights for accessing some pages (e.g “DataEntry” user can’t access “Administrator” level page). You can try to login with above different account and see not all the user have the same rights access. We will examine how this is happen, this is what Access Control List is.

Now login as “SuperAdministrator” so we can see all the page/module. As mention earlier this demo is a Songs database application, it’s had modules such as “Song”, “Album”, “Singer”, and “Genre”, which actually is a dummy page. It’s static, I don’t get the data from database and there’s no corresponding table also. Other modules is “ACL”, “Users”, and “UserType”, which corresponding to what we are talking about, the Access Control List (ACL). We retrieve the data from databases, as well we can add or edit, but for simplicity i don’t add delete/remove functionality. Module “ACL”, “Users”, and “UserType” are important component in this version of ACL’s, they collaborate each other determine how a user have the rights to access a modules or to do some action (e.g Insert, Update, Delete).

index.jsp

This is the dummy modules:

This is the corresponding ACL’s modules:UserType

User

Access Control List

In this demo to manage an ACL we start by creating a user type then assign that user type to some user. Everytime we make new user type, the application also make ACL’s for that user type. Let’s make a “UserType” that i will called it “Editor” and see what happen.

After we save the “Editor” user type, it will redirect us to ACL page. We can see there’s ACL’s for “Editor” user type created by application for us, what we only need to set is what modules and what action that the “Editor” can access. Let’s say I just want the “Editor” has the rights to update/edit every module except administrator level module, I’ll set the ACL’s for “Editor” like below picture (note: module “ACL” and “User” is administrator level module)

Then make a User and assign the “Editor” user type to him/her (I do not add functionality to edit user type of a User). My new user will look like this:

Please logout and login as “Editor” user. We can see that the menu in front page is not as complete as Administrator user, also the user can’t add new or delete record.

Now let we examine the code. The code structure look like this:

Now let’s see why some buttons or links can “missing” or display according to type of user account. In almost every buttons or links that I want to restrict, I put code something like this;

“aclManager” is a “acl.demo.manager.AccessControlListManager” class, because I know that there’s “acl.demo.entity.UserSession” object on the Session, i just send “session” object as parameter to method like “allowView”, “allowInsert”, etc, to determine the user type. The “acl.demo.enums.Permission” is to determine the existing modules and what module the page is.AccessControlListManager